You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ken Bowen <kb...@als.com> on 2007/10/26 18:26:56 UTC
Turning off jsessionid
Hi All,
Is there a way to tell Tomcat to never rewrite urls? I.e., to never add
jsessid ?
Thanks,
Ken Bowen
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Turning off jsessionid
Posted by Len Popp <le...@gmail.com>.
On 10/26/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
> Ken,
>
> Ken Bowen wrote:
> > Is there a way to tell Tomcat to never rewrite urls? I.e., to never add
> > jsessid ?
>
> Do you want to completely disable sessions, or just always require cookies?
If the site doesn't need to use sessions at all, make sure the app
never calls request.getSession() and put <%@page session="false"%> in
all the JSPs.
> This post from July 2004 includes a suggestion for a workaround when you
> /really/ don't want url rewriting to ever occur:
>
> http://mail-archives.apache.org/mod_mbox/tomcat-users/200407.mbox/%3C4106C206.2020702@fiskars.com%3E
and here's another link with code snippets:
http://mail-archives.apache.org/mod_mbox/struts-user/200311.mbox/%3c3FBA8A39.8010907@fiskars.com%3e
Keep in mind that if you go this route, your site will require users
to have session cookies enabled.
> I'm not sure why you'd ever want to do this, though. I'd love to hear
> your reason for doing it, though.
Actually, you have heard a reason for it before. :-)
http://mail-archives.apache.org/mod_mbox/tomcat-users/200612.mbox/browser
--
Len
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Turning off jsessionid
Posted by Peter Stavrinides <p....@albourne.com>.
Actually this is not so uncommon, an there are many 'good' reasons to do
so, see:
http://randomcoder.com/articles/jsessionid-considered-harmful
Here is an example of a filter that takes care of this:
http://randomcoder.com/repos/public/randomcoder-website/tags/1.0.3/WEB-INF/src/com/randomcoder/security/DisableUrlSessionFilter.java
Best wishes,
Peter
curunir wrote:
> Since you were curious why someone would want to disable URL rewriting, I can
> tell you why we had to do this.
>
> For our client, it was taken for a given that users would be frequently
> copying/pasting URLs in emails and IMs to other users. It's not a necessary
> part of our application, but we all know the vast majority of computer users
> are basically clueless when it comes to security and simply won't consider
> the security implications of their actions. If you enable URL rewriting, it
> makes it possible for someone visiting a URL sent to them in an email/IM to
> be logged in as the user who was originally passed the URL. Additionally,
> the users of the application frequently take screenshots when submitting
> bugs and those screenshots would, in many cases, also include the session
> id.
>
> In our application, where real money is at stake, this kind of risk is
> unacceptable. I'd go as far as to say that URL rewriting is fundamentally
> insecure for this reason and should be turned off whenever it's possible
> that URLs would be exposed in either of these two manners (provided your
> application requires a decent level of security).
>
>
>
> Christopher Schultz-2 wrote:
>
>> ...
>>
>> I'm not sure why you'd ever want to do this, though. I'd love to hear
>> your reason for doing it, though.
>>
>> ...
>>
>>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Turning off jsessionid
Posted by curunir <sp...@synth.org>.
Since you were curious why someone would want to disable URL rewriting, I can
tell you why we had to do this.
For our client, it was taken for a given that users would be frequently
copying/pasting URLs in emails and IMs to other users. It's not a necessary
part of our application, but we all know the vast majority of computer users
are basically clueless when it comes to security and simply won't consider
the security implications of their actions. If you enable URL rewriting, it
makes it possible for someone visiting a URL sent to them in an email/IM to
be logged in as the user who was originally passed the URL. Additionally,
the users of the application frequently take screenshots when submitting
bugs and those screenshots would, in many cases, also include the session
id.
In our application, where real money is at stake, this kind of risk is
unacceptable. I'd go as far as to say that URL rewriting is fundamentally
insecure for this reason and should be turned off whenever it's possible
that URLs would be exposed in either of these two manners (provided your
application requires a decent level of security).
Christopher Schultz-2 wrote:
>
> ...
>
> I'm not sure why you'd ever want to do this, though. I'd love to hear
> your reason for doing it, though.
>
> ...
>
--
View this message in context: http://www.nabble.com/Turning-off-jsessionid-tp13430750p14289776.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Turning off jsessionid
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ken,
Ken Bowen wrote:
> But all this leads to the obvious question (which I asked): If I'm not
> going to allow jsessionid's to slip out, can I suppress
> their creation totally?
The "creation" of the id is implicit in the creation the session: the
session simply /has/ an id. You're try trying to avoid appending it to
the URL in all cases. The filter you referenced should do that.
> Now, having said all that, I'm more than open to hearing alternative
> ways of dealing the with problem, namely that search
> engines penalize you for the presence of jesessionid's.
The filter will prevent the session from appearing in URLs. Just note
that if a cookie-less spider (that's pretty much all of 'em) hits your
website and you use sessions without url rewriting, then every single
request from the spider will generate a new session (yikes!).
You may want to be careful about even creating sessions when you detect
a search spider.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHIibn9CaO5/Lv0PARAqM4AJ9VRThAQdqHp4xaN3E5XRVTccWq1gCgi7nT
0BetvQ/E81m5lzaKDRngjzs=
=Ddap
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Turning off jsessionid
Posted by Ken Bowen <kb...@als.com>.
Chris,
a) Yes, I plan to always require cookies, because of ...
b) It's the search engine issue: They are cookie-less, and one gets
(severely?) penalized by letting the jsessionid's slip out.
While I'm using UrlRewriteFilter to provide an abstraction to the site's
urls (and it works great), I didn't seem to be able
to use it to suppress all url rewriting. I use
http://validator.w3.org/checklink to check out how things are behaving.
So what I've done is use the filter described in
http://randomcoder.com/articles/jsessionid-considered-harmful . This
is short and sweet, and appears to do the job, and is the solution
recommended by the link you sent -- thanks for that.
What I haven't done yet is to check whether the browser is supporting
cookies, and if the answer is no, make sure that
we raise an alert in fromt of the user to the effect that the site won't
work right without cookies.
But all this leads to the obvious question (which I asked): If I'm not
going to allow jsessionid's to slip out, can I suppress
their creation totally?
Now, having said all that, I'm more than open to hearing alternative
ways of dealing the with problem, namely that search
engines penalize you for the presence of jesessionid's.
Cheers,
Ken
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ken,
>
> Ken Bowen wrote:
>
>> Is there a way to tell Tomcat to never rewrite urls? I.e., to never add
>> jsessid ?
>>
>
> Do you want to completely disable sessions, or just always require cookies?
>
> While the servlet specification does not require containers to provide
> URL-rewriting, they are nearly useless without that capability.
>
> This post from July 2004 includes a suggestion for a workaround when you
> /really/ don't want url rewriting to ever occur:
>
> http://mail-archives.apache.org/mod_mbox/tomcat-users/200407.mbox/%3C4106C206.2020702@fiskars.com%3E
>
> I'm not sure why you'd ever want to do this, though. I'd love to hear
> your reason for doing it, though.
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHIhgg9CaO5/Lv0PARArw0AJ0Uzmwq/lLT1IWHxn/xADxiZLzpgACfUrep
> qUM56Ih/0NPu9XWeK5LE1ws=
> =s4JG
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Turning off jsessionid
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ken,
Ken Bowen wrote:
> Is there a way to tell Tomcat to never rewrite urls? I.e., to never add
> jsessid ?
Do you want to completely disable sessions, or just always require cookies?
While the servlet specification does not require containers to provide
URL-rewriting, they are nearly useless without that capability.
This post from July 2004 includes a suggestion for a workaround when you
/really/ don't want url rewriting to ever occur:
http://mail-archives.apache.org/mod_mbox/tomcat-users/200407.mbox/%3C4106C206.2020702@fiskars.com%3E
I'm not sure why you'd ever want to do this, though. I'd love to hear
your reason for doing it, though.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHIhgg9CaO5/Lv0PARArw0AJ0Uzmwq/lLT1IWHxn/xADxiZLzpgACfUrep
qUM56Ih/0NPu9XWeK5LE1ws=
=s4JG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org